Skip to content

Commit 85e092d

Browse files
committed
Fix up tests
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
1 parent 76da51e commit 85e092d

7 files changed

Lines changed: 23 additions & 14 deletions

File tree

pkg/programkind/programkind_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ func TestPath(t *testing.T) {
4949
{"/etc/systemd/system/launcher.service", &FileType{MIME: "text/x-systemd", Ext: "service"}},
5050
{"yarn-package.json", &FileType{MIME: "application/json", Ext: "json"}},
5151
{"/home/yeti/.hidden/package.json", &FileType{MIME: "application/json", Ext: "json"}},
52-
{"unknown.json", nil},
52+
{"unknown.json", &FileType{MIME: "application/json", Ext: "json"}},
5353
}
5454
for _, tt := range tests {
5555
t.Run(tt.in, func(t *testing.T) {

rules/c2/tool_transfer/exe_url.yara

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ rule http_url_with_exe: high {
55
strings:
66
$exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.exe/
77
$not_mongodb_404 = "https://docs.mongodb.com/manual/reference/method/Bulk.exe"
8+
$not_elastic = "\"license\": \"Elastic License v2\""
89
910
condition:
1011
any of ($exe*) and none of ($not*)
@@ -14,11 +15,14 @@ rule http_ip_url_with_exe: critical {
1415
meta:
1516
description = "accesses hardcoded executable endpoint via IP"
1617

18+
1719
strings:
1820
$exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.exe/
1921
22+
$not_elastic = "\"license\": \"Elastic License v2\""
23+
2024
condition:
21-
any of ($exe*)
25+
any of ($exe*) and none of ($not*)
2226
}
2327

2428
rule http_url_with_msi: high {
@@ -28,8 +32,10 @@ rule http_url_with_msi: high {
2832
strings:
2933
$exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.msi/
3034
35+
$not_elastic = "\"license\": \"Elastic License v2\""
36+
3137
condition:
32-
any of ($exe*)
38+
any of ($exe*) and none of ($not*)
3339
}
3440

3541
rule http_ip_url_with_msi: critical {
@@ -39,8 +45,10 @@ rule http_ip_url_with_msi: critical {
3945
strings:
4046
$exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.msi/
4147
48+
$not_elastic = "\"license\": \"Elastic License v2\""
49+
4250
condition:
43-
any of ($exe*)
51+
any of ($exe*) and none of ($not*)
4452
}
4553

4654
rule http_url_with_powershell: high {
@@ -50,8 +58,10 @@ rule http_url_with_powershell: high {
5058
strings:
5159
$exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.ps1/
5260
61+
$not_elastic = "\"license\": \"Elastic License v2\""
62+
5363
condition:
54-
any of ($exe*)
64+
any of ($exe*) and none of ($not*)
5565
}
5666

5767
rule http_ip_url_with_powershell: critical {
@@ -61,6 +71,8 @@ rule http_ip_url_with_powershell: critical {
6171
strings:
6272
$exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.ps1/
6373
74+
$not_elastic = "\"license\": \"Elastic License v2\""
75+
6476
condition:
65-
any of ($exe*)
77+
any of ($exe*) and none of ($not*)
6678
}

rules/impact/remote_access/botnet.yara

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ rule botnet_high: high {
3232
$botnet = "Botnet"
3333
$not_phishing = "phishing"
3434
$not_keylogger = "keylogger"
35+
$not_wikiticker_contribution = "Undid revision 680586363 by"
3536
3637
condition:
3738
filesize < 20MB and any of ($bot*) and none of ($not*)

tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
1-
# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: high
1+
# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium
22
3P/sig_base/hacktool_strings_p0wnedshell: low
3-
c2/tool_transfer/exe_url: high
43
c2/tool_transfer/os: low
54
exec/shell/power: medium
65
impact/infection/infected: medium

tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
1-
# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: high
1+
# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: medium
22
3P/sig_base/p0wnedpotato: low
3-
c2/tool_transfer/exe_url: high
43
c2/tool_transfer/os: low
54
exec/shell/power: medium
65
net/download: medium

tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
1-
# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: high
1+
# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: medium
22
3P/sig_base/hacktool_strings_p0wnedshell: low
33
c2/addr/url: medium
4-
c2/tool_transfer/exe_url: high
54
c2/tool_transfer/os: low
65
credential/password: low
76
exec/shell/power: medium

tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# linux/clean/wikiticker-2015-09-12-sampled.json: high
1+
# linux/clean/wikiticker-2015-09-12-sampled.json: medium
22
anti-behavior/blocklist/user: medium
33
anti-behavior/random_behavior: low
44
c2/addr/ip: medium
@@ -12,7 +12,6 @@ fs/file/delete_forcibly: low
1212
fs/path/relative: medium
1313
impact/infection/worm: medium
1414
impact/remote_access/agent: medium
15-
impact/remote_access/botnet: high
1615
impact/remote_access/implant: medium
1716
impact/remote_access/trojan: medium
1817
net/download: medium

0 commit comments

Comments
 (0)